Proposed Guidance on Climate Change Risk Management for NY Financial Institutions

Proposed Guidance on Climate-Related Risks for New York Institutions

On December 21, 2022, the New York Department of Financial Services (DFS) issued proposed guidance (the Guidance¹) for New York State-regulated banking organizations, branches, and agencies of foreign banking organizations, and mortgage bankers and servicers (Covered Institutions) on climate change risk management. The Guidance supplements  DFS’ prior October 2020 industry letter² that set forth its expectation that Covered Institutions begin to integrate climate-related financial risk (CRFR) into their governance frameworks, risk management processes, and business strategies. The Guidance advises institutions on best practices to identify, measure, monitor, and control CRFRs that threaten operational resilience and safety and soundness.

Key Elements of the NY DFS Climate Risk Guidance Proposal

Managing climate change risk is necessary for Covered Institutions to both thrive in today’s global, competitive financial landscape, and to foster resilience of the New York financial system. While stressing the importance of integration of CRFR, DFS provides Covered Institutions three themes to consider:

Risks are Evolving — When adjusting their management of CRFR with regard to operations and investments, Covered Institutions will need to rely on data and other climate change information on issues, such as natural disasters and population growth, that are constantly changing.  DFS, however, will not accept that excuse as a justification for inaction. Covered Institutions should consider the dynamic nature of CRFR and search for overall trends and patterns in climate-related data when designing their approaches and methodologies to CRFR management

Approaches to CRFR should Consider the Size and Complexity of the Covered Institution — The Guidance notes that Covered Institutions should consider their CRFR exposure as well as their size, geography, resource availability, and complexity when implementing CRFR management. Additionally, an Institution should take a risk-based approach to climate risks, based on both current and forward-looking risk exposure

Covered Institutions Must Still Comply with Fair Lending Obligations — Low- and moderate-income communities and communities of color are disproportionately harmed by climate change and natural disasters. The Guidance emphasizes that mitigation of CRFR implemented by the Covered Institution cannot cause additional undue harm or disadvantage to at-risk communities

Guidance and Examples

Climate risks are categorized as either physical risks or transition risks. Physical risks are weather-related volatility, such as natural disasters, and they affect infrastructure, real property, and personal safety. Transition risks are economic and behavioral shifts associated with the policy, technology, consumer, and investor preference, and liability risk changes.  

Covered Institutions should consider both physical and transition risks in a CRFR management framework. 

Corporate Governance

An institution’s governance framework is expected to include a process for identifying, measuring, monitoring, and controlling the institution’s CRFR.

1. Business Environment Strategy
Institutions should incorporate climate risk into their risk management framework by considering questions such as:

• Which business areas are or may be exposed to these risks?
• What is the resiliency of their business models?
• What is the current or potential future materiality of the risks? 
• Does CRFR require consideration across all business areas and processes or only those areas and processes that are or may be particularly exposed?

2. Board and Management Oversight
An Institution’s board and management should have adequate understanding and knowledge to assess CRFR and their impacts on the risk appetite of the organization when integrating climate change into the risk appetite framework. This oversight may include:

• Creating a committee to oversee CRFR; and
• Considering potential timelines for the materialization of climate risks.

3. Policies, Procedures, and Limits
CRFR management should be embedded into policies and procedures and controls across relevant functions and business units. It should be modified when necessary to reflect changes in risk and the institution’s activities.

Internal Control Framework

Institutions should incorporate CRFR into their three lines of defense:

1. The risk-taking function should assess CRFR during client onboarding, credit application, and credit review processes by understanding how the potential physical and transition risk impacts clients
2. As the risk management function, it should conduct independent climate related risk assessment and monitoring, including potentially challenging the assessment conducted by the first line of defense
3. As the internal audit function, it should conduct regular independent reviews of the institution’s climate related internal control framework and systems

Risk Management Process
Institutions should manage their CRFR through their existing risk management framework as follows:

1. Identify Risk — Institutions should consider how physical and transition risks impact different asset classes, sectors, counterparties, or geographic locations to adjust the existing risk framework. Identification of these risk drivers should occur at the transaction, portfolio, and entity or Group level, as appropriate
2. Measure Risk — Institutions should develop appropriate key risk measurement tools or indicators, as part of existing risk measurement systems
3. Monitor Risk — Institutions should regularly monitor and adjust risk positions and exceptions to operating within established policies, limits, and risk appetite related to climate risks.  Due to the dynamic nature of climate risk, institutions should also monitor for emerging risks and update risk data and metrics regularly
4. Control Risk — The board and management should establish and implement plans to mitigate and manage their exposure to material climate risk and regularly assess the plan’s effectiveness
5. Incorporate Climate Risk to Existing Risk Categories — Climate risk may materially affect existing risk categories, such as credit, market, operational, liquidity, legal and compliance, and strategic risks

Data Aggregation and Reporting
Institutions should develop risk data aggregation capabilities and risk reporting practices to monitor material climate risk and produce timely information to facilitate board and management decision-making. The monitoring and management information systems should be consistent with the nature, scale, complexity, and diversity of the organization’s operations and level of exposure to climate risk.

Scenario Analysis
Climate scenario analysis may be a useful tool in identifying, anticipating, managing, and measuring climate risks. The analysis should consider a range of scenarios based on assumptions regarding impact of climate risk over different time horizons to assess the resilience of their business models and strategies, identify and measure vulnerability, estimate exposures and potential impacts, and determine the materiality of climate risks. In the near term, a scenario analysis can assist in identifying data and methodological limitations and uncertainty in managing these risks that may need to be addressed.

Practical Impact to Financial Institutions

The DFS has made clear its expectation that Covered Institutions begin to integrate CRFR into their governance frameworks, risk management processes, and business strategies, while also emphasizing that uncertainty and data gaps should not justify inaction.  

Key Considerations

Although there is no implementation timeline, Institutions should review and consider incorporating the recommendations highlighted by the DFS even if there are uncertainties and gaps in the data. An institution’s board and management must oversee the incorporation of the Guidance into its business strategy, risk management, and controls to address the physical and transient risks posed by climate change, while ensuring that decisions do not negatively impact at-risk communities, fair lending practices, and consumer protection. The institution should also collect data on the material risks and conduct scenario analysis to more accurately determine the materiality of the potential risks that should be used to make updates related to CRFR that are more specific to the institution.

How Guidehouse Can Help

Guidehouse can help financial institutions conduct assessments in light of the proposed regulatory and guidance changes, including determining changed obligations under the proposed rules and guidance, and developing and implementing updates to operations, policies, procedures, controls, and technology. Its areas of relevant expertise include the following:

• Environmental, Social, and Governance (ESG)
• Anti-money laundering
• Customer due diligence
• Sanctions
• Strategic planning
• Risk management
• Vendor sourcing and governance
• Executive training

Guidehouse can review and assess your program and policies and procedures to help determine whether it is sound, identify gaps or weaknesses, or conduct training on ESG, AML, CDD, and Sanctions compliance, including blockchain tracing and analytics. Guidehouse is well-equipped to make an individualized assessment of your unique circumstances and offer innovative advice and solutions for responding to heightened regulatory requirements.

This article is co-authored by Ji Kang.